adds verify_mode to context

2016-12-05 19:15:08 -03:00 · 2016-12-05 19:15:08 -03:00 · 368f2baf88
parent 8eec3cb874
commit 368f2baf88
4 changed files with 50 additions and 13 deletions
--- a/wrapper/python/wolfssl/test/test_context.py
+++ b/wrapper/python/wolfssl/test/test_context.py
@ -125,6 +125,13 @@ class TestSSLContext(unittest.TestCase):

    def test_context_creation(self):
        self.assertIsNotNone(self.ctx)
+        self.assertEqual(self.ctx.verify_mode, self.provider.CERT_NONE)
+
+        self.ctx.verify_mode = self.provider.CERT_OPTIONAL
+        self.assertEqual(self.ctx.verify_mode, self.provider.CERT_OPTIONAL)
+
+        self.ctx.verify_mode = self.provider.CERT_REQUIRED
+        self.assertEqual(self.ctx.verify_mode, self.provider.CERT_REQUIRED)

    def test_load_cert_chain_raises(self):
        self.assertRaises(TypeError, self.ctx.load_cert_chain, None)
--- a/wrapper/python/wolfssl/wolfssl/_context.py
+++ b/wrapper/python/wolfssl/wolfssl/_context.py
@ -33,10 +33,12 @@ CERT_NONE = 0
 CERT_OPTIONAL = 1
 CERT_REQUIRED = 2

+_VERIFY_MODE_LIST = [CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED]
+
 _SSL_SUCCESS = 1
 _SSL_FILETYPE_PEM = 1

-class SSLContext:
+class SSLContext(object):
    """
    An SSLContext holds various SSL-related configuration options and
    data, such as certificates and possibly a private key.
@ -47,6 +49,7 @@ class SSLContext:

        self.protocol = protocol
        self._side = server_side
+        self._verify_mode = None
        self.native_object = _lib.wolfSSL_CTX_new(method.native_object)

        # wolfSSL_CTX_new() takes ownership of the method.
@ -57,12 +60,38 @@ class SSLContext:
        if self.native_object == _ffi.NULL:
            raise MemoryError("Unnable to allocate context object")

+        # verify_mode initialization needs a valid native_object.
+        self.verify_mode = CERT_NONE
+

    def __del__(self):
        if self.native_object is not None:
            _lib.wolfSSL_CTX_free(self.native_object)


+    @property
+    def verify_mode(self):
+        """
+        Whether to try to verify other peers’ certificates and how to behave
+        if verification fails. This attribute must be one of CERT_NONE,
+        CERT_OPTIONAL or CERT_REQUIRED.
+        """
+        return self._verify_mode
+
+
+    @verify_mode.setter
+    def verify_mode(self, value):
+        if value not in _VERIFY_MODE_LIST:
+            raise ValueError("verify_mode must be one of CERT_NONE, "
+                             "CERT_OPTIONAL or CERT_REQUIRED")
+
+        if value != self._verify_mode:
+            self._verify_mode = value
+            _lib.wolfSSL_CTX_set_verify(self.native_object,
+                                        self._verify_mode,
+                                        _ffi.NULL)
+
+
 #    def wrap_socket(self, sock, server_side=False,
 #                    do_handshake_on_connect=True,
 #                    suppress_ragged_eofs=True,
--- a/wrapper/python/wolfssl/wolfssl/_methods.py
+++ b/wrapper/python/wolfssl/wolfssl/_methods.py
@ -41,7 +41,7 @@ _PROTOCOL_LIST = [PROTOCOL_SSLv23, PROTOCOL_SSLv3, PROTOCOL_TLS,
                  PROTOCOL_TLSv1, PROTOCOL_TLSv1_1, PROTOCOL_TLSv1_2]


-class WolfSSLMethod:
+class WolfSSLMethod(object):
    """
    An SSLMethod holds SSL-related configuration options such as
    protocol version and communication side.
--- a/wrapper/python/wolfssl/wolfssl/build_ffi.py
+++ b/wrapper/python/wolfssl/wolfssl/build_ffi.py
@ -19,18 +19,18 @@
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
-import os

 from cffi import FFI

 ffi = FFI()

-ffi.set_source("wolfssl._ffi",
+ffi.set_source(
+    "wolfssl._ffi",
    """
-        #include <wolfssl/options.h>
-        #include <wolfssl/ssl.h>
+    #include <wolfssl/options.h>
+    #include <wolfssl/ssl.h>

-        void wolfSSL_Free(void *ptr, void* heap, int type);
+    void wolfSSL_Free(void *ptr, void* heap, int type);
    """,
    include_dirs=["/usr/local/include"],
    library_dirs=["/usr/local/lib"],
@ -38,7 +38,7 @@ ffi.set_source("wolfssl._ffi",
 )

 ffi.cdef(
-"""
+    """
    typedef unsigned char byte;
    typedef unsigned int  word32;

@ -52,11 +52,12 @@ ffi.cdef(
    void* wolfSSL_CTX_new(void*);
    void  wolfSSL_CTX_free(void*);

-    int wolfSSL_CTX_use_PrivateKey_file(void*, const char*, int);
-    int wolfSSL_CTX_load_verify_locations(void*, const char*, const char*);
-    int wolfSSL_CTX_load_verify_buffer(void*, const unsigned char*, long, int);
-    int wolfSSL_CTX_use_certificate_chain_file(void*, const char *);
-"""
+    void wolfSSL_CTX_set_verify(void*, int, void*);
+    int  wolfSSL_CTX_use_PrivateKey_file(void*, const char*, int);
+    int  wolfSSL_CTX_load_verify_locations(void*, const char*, const char*);
+    int  wolfSSL_CTX_load_verify_buffer(void*, const unsigned char*, long, int);
+    int  wolfSSL_CTX_use_certificate_chain_file(void*, const char *);
+    """
 )

 if __name__ == "__main__":